I'm posting here, because I'm trying to setting up HAProxy as reverse-proxy with SSL/TLS termination and I have the following error in logs :
Oct 17 12:10:03 localhost haproxy[2789]: xxx.xxx.xxx.xxx:33724 [17/Oct/2020:12:10:03.784] www-https www-https/<NOSRV> -1/-1/-1/-1/0 400 188 - - PR-- 1/1/0/0/0 0/0 "<BADREQ>"
And I don't understand why HAProxy is blocking the request .
Could you help me ?
This my haproxy.cfg :
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 5s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 4096
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http_proxy
timeout connect 5000
timeout client 50000
timeout server 5000
stats enable
stats hide-version
stats refresh 5s
stats uri /hastats
frontend www-http
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend www-backend
# Test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
frontend www-https
bind *:8000-9000 crt /etc/haproxy/certs/www.example.com.pem
bind *:443 crt /etc/haproxy/certs/www.example.com.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
backend www-backend
mode http
http-request set-header X-Forwarded-For %[src]
reqadd X-Forwarded-Proto:\ https
option http-server-close
balance roundrobin
redirect scheme https if !{ ssl_fc }
server web1 xxx.xxx.xxx.101:80 check
server web2 xxx.xxx.xxx.102:80 check
backend letsencrypt-backend
server letsencrypt 127.0.0.1:8080
Best Answer
In frontend
www-httpsinbindline addsslbeforecrt. Withoutsslit works as plain HTTP. So: